OC ACL
Packages:
- openconfig-acl.yang
- openconfig-packet-match-types.yang
- openconfig-packet-match.yang
Creating an IPv4 ACL Policy with ACE
Creating an IPv4 ACL Policy with ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo</name>
<type>ACL_IPV4</type>
<config>
<name>foo</name>
<type>ACL_IPV4</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>100</sequence-id>
<config>
<sequence-id>100</sequence-id>
</config>
<ipv4>
<config>
<source-address>0.0.0.0/0</source-address>
<destination-address>0.0.0.0/0</destination-address>
<dscp>0</dscp>
<protocol>4</protocol>
<hop-limit>5</hop-limit>
</config>
</ipv4>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
Container: Ipv4 ACL – acl/acl-sets
Type: Config Data
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
ip access-list foo
100 permit ip any any dscp default ttl 5
Querying an IPv4 ACL Policy
Querying an IPv4 ACL Policy
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo</name>
<type>ACL_IPV4</type>
</acl-set>
</acl-sets>
</acl>
</filter>
</get-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:4d239666-2f95-4156-ad80-6ff1de8b0599">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo</name>
<type>ACL_IPV4</type>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
<config>
<sequence-id>100</sequence-id>
</config>
<ipv4>
<config>
<destination-address>0.0.0.0/0</destination-address>
<dscp>0</dscp>
<hop-limit>5</hop-limit>
<protocol>4</protocol>
<source-address>0.0.0.0/0</source-address>
</config>
</ipv4>
<sequence-id>100</sequence-id>
</acl-entry>
</acl-entries>
<config>
<name>foo</name>
<type>ACL_IPV4</type>
</config>
</acl-set>
</acl-sets>
</acl>
</data>
</rpc-reply>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
show run aclmgr
ip access-list foo
100 permit ip any any dscp default ttl 5
Note: To get the state data along with the config data, use <get>
method.
Deleting an IPv4 ACL Policy
Deleting an IPv4 ACL Policy
Request:
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set xc:operation="delete">
<name>foo</name>
<type>ACL_IPV4</type>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
no ip access-list foo
Creating IPv6 ACL policy with ACE
Creating IPv6 ACL policy with ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo6</name>
<type>ACL_IPV6</type>
<config>
<name>foo6</name>
<type>ACL_IPV6</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>200</sequence-id>
<config>
<sequence-id>200</sequence-id>
</config>
<ipv6>
<config>
<source-address>10::10/64</source-address>
<destination-address>10::11/64</destination-address>
<protocol>IP_TCP</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action>DROP</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
Container: Ipv6 ACL – acl/acl-sets
Type: Config Data
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
ipv6 access-list foo6
200 deny tcp 10::10/64 10::11/64
Querying an IPv6 ACL Policy
Querying an IPv6 ACL Policy
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo6</name>
<type>ACL_IPV6</type>
</acl-set>
</acl-sets>
</acl>
</filter>
</get-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo6</name>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>DROP</forwarding-action>
</config>
</actions>
<config>
<sequence-id>200</sequence-id>
</config>
<ipv6>
<config>
<destination-address>10::11/64</destination-address>
<protocol>IP_TCP</protocol>
<source-address>10::10/64</source-address>
</config>
</ipv6>
<sequence-id>200</sequence-id>
</acl-entry>
</acl-entries>
<config>
<name>foo6</name>
<type>ACL_IPV6</type>
</config>
<type>ACL_IPV6</type>
</acl-set>
</acl-sets>
</acl>
</data>
</rpc-reply>
CLI Output
switch# show run aclmgr
ipv6 access-list foo6
200 deny tcp 10::10/64 10::11/64
Note: To get the state data along with the config data, use <get>
method.
Deleting an IPv6 ACL Policy
Deleting an IPv6 ACL Policy
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set xc:operation="delete">
<name>foo6</name>
<type>ACL_IPV6</type>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/>
</rpc-reply>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
no ipv6 access-list foo6
Creating a Layer 2/MAC ACL Policy with ACE
Creating a Layer 2/MAC ACL Policy with ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>fooMac</name>
<type>ACL_L2</type>
<config>
<name>fooMac</name>
<type>ACL_L2</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<l2>
<config>
<source-mac>00:01:00:02:00:03</source-mac>
<source-mac-mask>00:00:00:00:00:00</source-mac-mask>
<destination-mac>00:01:00:02:00:02</destination-mac>
<destination-mac-mask>00:00:00:00:00:00</destination-mac-mask>
<ethertype>0x806</ethertype>
</config>
</l2>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
Container: L2 ACL – acl/acl-sets
Type: Config Data
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
mac access-list fooMac
10 permit 0001.0002.0003 0000.0000.0000 0001.0002.0002 0000.0000.0000 0x806
Querying a MAC ACL policy
Querying a MAC ACL Policy
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>fooMac</name>
<type>ACL_L2</type>
</acl-set>
</acl-sets>
</acl>
</filter>
</get-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>fooMac</name>
<type>ACL_L2</type>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
<config>
<sequence-id>10</sequence-id>
</config>
<l2>
<config>
<destination-mac>00:01:00:02:00:02</destination-mac>
<destination-mac-mask>00:00:00:00:00:00</destination-mac-mask>
<ethertype>ETHERTYPE_ARP</ethertype>
<source-mac>00:01:00:02:00:03</source-mac>
<source-mac-mask>00:00:00:00:00:00</source-mac-mask>
</config>
</l2>
<sequence-id>10</sequence-id>
</acl-entry>
</acl-entries>
<config>
<name>fooMac</name>
<type>ACL_L2</type>
</config>
</acl-set>
</acl-sets>
</acl>
</data>
</rpc-reply>
CLI Output
switch# show run aclmgr
mac access-list fooMac
10 permit 0001.0002.0003 0000.0000.0000 0001.0002.0002 0000.0000.0000 0x806
Note: To get the state data along with the config data, use <get>
method.
Deleting a MAC ACL Policy
Deleting a MAC ACL Policy
Request:
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set xc:operation="delete">
<name>fooMac</name>
<type>ACL_L2</type>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/>
</rpc-reply>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
no mac access-list fooMac
Applying an IPv4 ACL Policy to a Layer 3 Interface
Applying an IPv4 ACL Policy to a Layer 3 Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/2</id>
<config>
<id>eth1/2</id>
</config>
<interface-ref>
<config>
<interface>eth1/2</interface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
<config>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<egress-acl-sets>
<egress-acl-set>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
<config>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
</config>
</egress-acl-set>
</egress-acl-sets>
</interface>
</interfaces>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
Container: IPv4 RACL - acl/interfaces
Type: Config Data
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
interface ethernet1/2
ip access-group foo in
ip access-group foo out
Querying an IPv4 ACL Policy Applied to an Interface
Querying an IPv4 ACL Policy Applied to an Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces/>
</acl>
</filter>
</get-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
</rpc-reply><rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<config>
<id>eth1/2</id>
</config>
<id>eth1/2</id>
<egress-acl-sets>
<egress-acl-set>
<config>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
</config>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
</egress-acl-set>
</egress-acl-sets>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
</config>
<set-name>foo</set-name>
<type>ACL_IPV4</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/2</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
</data>
</rpc-reply>
CLI Output switch# show ip access-lists foo summary
IPV4 ACL foo
Statistics enabled
Total ACEs Configured: 1
Configured on interfaces:
Ethernet1/2 - ingress (Router ACL)
Ethernet1/2 - egress (Router ACL)
Active on interfaces:
Ethernet1/2 - ingress (Router ACL)
Ethernet1/2 - egress (Router ACL)
Note: To get the state data along with the config data, use <get>
method.
Querying Matched Packets Per IPv4 ACE
Querying Matched Packets Per IPv4 ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo</name>
<type>ACL_IPV4</type>
<acl-entries>
<acl-entry>
<state>
<matched-packets/>
</state>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</filter>
</get>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo</name>
<type>ACL_IPV4</type>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<state>
<matched-packets>10</matched-packets>
</state>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</data>
</rpc-reply>
Note: The statistics per-entry should be configured through the CLI for the matched packets to be returned in the following <get>
response displayed in the pane on the right.
Type: State Data
CLI Commands
ip access-list foo
statistics per-entry
10 deny icmp any any
interface Ethernet1/2
ip access-group foo in
ip access-group foo out
CLI Output
The CLI output below is equivalent to the payload example displayed in the pane on the right.
switch# show ip access-lists foo
IP access list foo
statistics per-entry
10 deny icmp any any [match=10]
Note: To get the state data along with the config data, use <get>
method.
Applying an IPv6 ACL Policy to a Layer 3 Interface
Applying an IPv6 ACL Policy to a Layer 3 Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/6</id>
<config>
<id>eth1/6</id>
</config>
<interface-ref>
<config>
<interface>eth1/6</interface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>foo6</set-name>
<type>ACL_IPV6</type>
<config>
<set-name>foo6</set-name>
<type>ACL_IPV6</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
Container: IPv6 RACL – acl/interfaces
Type: Config Data
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
interface Ethernet1/6
ipv6 traffic-filter foo6 in
Querying an IPv6 ACL Policy Applied to an Interface
Querying an IPv6 ACL Policy Applied to an Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/6</id>
</interface>
</interfaces>
</acl>
</filter>
</get-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/6</id>
<config>
<id>eth1/6</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>foo6</set-name>
<type>ACL_IPV6</type>
</config>
<set-name>foo6</set-name>
<type>ACL_IPV6</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/6</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
</data>
</rpc-reply>
CLI Output switch# show ipv6 access-lists foo6 summary
IPV6 ACL foo6
Statistics enabled
Total ACEs Configured: 1
Configured on interfaces:
Ethernet1/6 - ingress (Router ACL)
Active on interfaces:
Ethernet1/6 - ingress (Router ACL)
Note: To get the state data along with the config data, use <get>
method.
Querying Matched Packets Per IPv6 ACE
Querying Matched Packets Per IPv6 ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo6</name>
<type>ACL_IPV6</type>
</acl-set>
</acl-sets>
<interfaces>
<interface>
<id>eth1/6</id>
</interface>
</interfaces>
</acl>
</filter>
</get>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>foo6</name>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>DROP</forwarding-action>
</config>
</actions>
<config>
<sequence-id>200</sequence-id>
</config>
<ipv6>
<config>
<destination-address>10::11/64</destination-address>
<protocol>58</protocol>
<source-address>10::10/64</source-address>
</config>
</ipv6>
<sequence-id>200</sequence-id>
<state>
<matched-packets>10</matched-packets>
</state>
</acl-entry>
</acl-entries>
<config>
<name>foo6</name>
<type>ACL_IPV6</type>
</config>
<type>ACL_IPV6</type>
</acl-set>
</acl-sets>
<interfaces>
<interface>
<name>eth1/6</name>
<id>eth1/6</id>
<config>
<id>eth1/6</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>foo6</set-name>
<type>ACL_IPV6</type>
</config>
<set-name>foo6</set-name>
<type>ACL_IPV6</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/6</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
</data>
</rpc-reply>
Note: The statistics per-entry should be configured through the CLI for the matched packets to be returned in the following <get>
response displayed in the pane on the right.
Type: State Data
CLI Commands
ipv6 access-list foo6
statistics per-entry
200 deny icmp 10::10/64 10::11/64
interface Ethernet1/6
ipv6 traffic-filter foo6 in
CLI Output
The CLI output below is equivalent to the payload example displayed in the pane on the right.
switch# show ipv6 access-lists foo6
IPv6 access list foo6
statistics per-entry
200 deny icmp 10::10/64 10::11/64 [match=10]
Note: To get the state data along with the config data, use <get>
method.
Applying a MAC ACL Policy to a Layer 2 Interface
Applying a MAC ACL Policy to a Layer 2 Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/1</id>
<config>
<id>eth1/1</id>
</config>
<interface-ref>
<config>
<interface>eth1/1</interface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>fooMac</set-name>
<type>ACL_L2</type>
<config>
<set-name>fooMac</set-name>
<type>ACL_L2</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
</config>
</edit-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>
Container: MAC Port ACL – acl/interfaces
Type: Config Data
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
interface Ethernet1/1
mac port access-group fooMac
Querying a MAC ACL Policy Applied to an Interface
Querying a MAC ACL Policy Applied to an Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/1</id>
</interface>
</interfaces>
</acl>
</filter>
</get-config>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/1</id>
<config>
<id>eth1/1</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>fooMac</set-name>
<type>ACL_L2</type>
</config>
<set-name>fooMac</set-name>
<type>ACL_L2</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
</data>
</rpc-reply>
CLI Output The CLI commands are equivalent to the payload examples displayed in the pane on the right.
switch# mac access-lists fooMac summary
MAC ACL fooMac
Statistics enabled
Total ACEs Configured: 1
Configured on interfaces:
Ethernet1/1 - ingress (Port ACL)
Active on interfaces:
Ethernet1/1 - ingress (Port ACL)
Note: To get the state data along with the config data, use <get>
method.
Querying Matched Packets Per MAC ACE
Querying Matched Packets Per MAC ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get>
<filter>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>fooMac</name>
<type>ACL_L2</type>
<acl-entries>
<acl-entry>
<state>
<matched-packets/>
</state>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</filter>
</get>
</rpc>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>fooMac</name>
<type>ACL_L2</type>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<state>
<matched-packets>4</matched-packets>
</state>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</data>
</rpc-reply>
Note: The statistics per-entry should be configured through the CLI for the matched packets to be returned in the following <get>
response displayed in the pane on the right.
Type: State Data
CLI Commands
mac access-list fooMac
statistics per-entry
10 deny any 380e.4d40.eb7f ffff.ffff.ffff
interface Ethernet1/1
mac port access-group fooMac
CLI Output
The CLI output below is equivalent to the payload example displayed in the pane on the right.
switch# mac access-lists fooMac
MAC access list fooMac
statistics per-entry
10 deny any 380e.4d40.eb7f ffff.ffff.ffff [match=4]
Note: To get the state data along with the config data, use <get>
method.
Creating the Combination Payload for the OC ACL Model
Creating the Combination Payload for the OC ACL Model
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>full-ipv4</name>
<type>ACL_IPV4</type>
<config>
<name>full-ipv4</name>
<type>ACL_IPV4</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>123</sequence-id>
<config>
<sequence-id>123</sequence-id>
</config>
<ipv4>
<config>
<source-address>0.0.0.0/0</source-address>
<destination-address>0.0.0.0/0</destination-address>
<dscp>25</dscp>
<protocol>IP_TCP</protocol>
<hop-limit>5</hop-limit>
</config>
</ipv4>
<transport>
<config>
<source-port>10</source-port>
<destination-port>20</destination-port>
<tcp-flags>TCP_ACK</tcp-flags>
</config>
</transport>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
<acl-set>
<name>full-mac</name>
<type>ACL_L2</type>
<config>
<name>full-mac</name>
<type>ACL_L2</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<l2>
<config>
<source-mac>01:02:03:04:05:06</source-mac>
<source-mac-mask>00:00:00:00:00:00</source-mac-mask>
<destination-mac>01:02:03:04:05:07</destination-mac>
<destination-mac-mask>FF:FF:FF:FF:FF:FF</destination-mac-mask>
<ethertype>ETHERTYPE_ARP</ethertype>
</config>
</l2>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
<acl-set>
<name>full-ipv6</name>
<type>ACL_IPV6</type>
<config>
<name>full-ipv6</name>
<type>ACL_IPV6</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>12</sequence-id>
<config>
<sequence-id>12</sequence-id>
</config>
<ipv6>
<config>
<source-address>0::0/0</source-address>
<destination-address>0::0/0</destination-address>
<dscp>23</dscp>
<protocol>41</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action>DROP</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
<interfaces>
<interface>
<id>eth1/31.23</id>
<config>
<id>eth1/31.23</id>
</config>
<interface-ref>
<config>
<interface>eth1/31</interface>
<subinterface>23</subinterface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>full-ipv6</set-name>
<type>ACL_IPV6</type>
<config>
<set-name>full-ipv6</set-name>
<type>ACL_IPV6</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
<interface>
<id>eth1/31</id>
<config>
<id>eth1/31</id>
</config>
<interface-ref>
<config>
<interface>eth1/31</interface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
<config>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<egress-acl-sets>
<egress-acl-set>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
<config>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
</config>
</egress-acl-set>
</egress-acl-sets>
</interface>
<interface>
<id>eth1/32</id>
<config>
<id>eth1/32</id>
</config>
<interface-ref>
<config>
<interface>eth1/32</interface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>full-mac</set-name>
<type>ACL_L2</type>
<config>
<set-name>full-mac</set-name>
<type>ACL_L2</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/>
</rpc-reply>
Note: Subinterface Eth1/31.23 should already exist on the device prior to executing the below payload
CLI Output ip access-list full-ipv4
123 permit tcp any eq 10 any eq 20 ack dscp 25 ttl 5
ipv6 access-list full-ipv6
12 deny ipv6 any any dscp 23
mac access-list full-mac
1 permit 0102.0304.0506 0000.0000.0000 0102.0304.0507 ffff.ffff.ffff 0x806
interface Ethernet1/31
ip access-group full-ipv4 in
ip access-group full-ipv4 out
interface Ethernet1/31.23
ipv6 traffic-filter full-ipv6 in
interface Ethernet1/32
mac port access-group full-mac
Querying a Configuration on the Combination Payload for the OC ACL Model
Querying a Configuration on the Combination Payload for the OC ACL Model
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<acl xmlns="http://openconfig.net/yang/acl"/>
</filter>
</get-config>
</rpc>
Response:
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<config>
<id>eth1/31</id>
</config>
<id>eth1/31</id>
<egress-acl-sets>
<egress-acl-set>
<config>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
</config>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
</egress-acl-set>
</egress-acl-sets>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
</config>
<set-name>full-ipv4</set-name>
<type>ACL_IPV4</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/31</interface>
</config>
</interface-ref>
</interface>
<interface>
<config>
<id>eth1/31.23</id>
</config>
<id>eth1/31.23</id>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>full-ipv6</set-name>
<type>ACL_IPV6</type>
</config>
<set-name>full-ipv6</set-name>
<type>ACL_IPV6</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/31</interface>
<subinterface>23</subinterface>
</config>
</interface-ref>
</interface>
<interface>
<config>
<id>eth1/32</id>
</config>
<id>eth1/32</id>
<ingress-acl-sets>
<ingress-acl-set>
<config>
<set-name>full-mac</set-name>
<type>ACL_L2</type>
</config>
<set-name>full-mac</set-name>
<type>ACL_L2</type>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1/32</interface>
</config>
</interface-ref>
</interface>
</interfaces>
<acl-sets>
<acl-set>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
<config>
<sequence-id>123</sequence-id>
</config>
<ipv4>
<config>
<destination-address>0.0.0.0/0</destination-address>
<dscp>25</dscp>
<hop-limit>5</hop-limit>
<protocol>IP_TCP</protocol>
<source-address>0.0.0.0/0</source-address>
</config>
</ipv4>
<sequence-id>123</sequence-id>
<transport>
<config>
<destination-port>20</destination-port>
<source-port>10</source-port>
<tcp-flags>TCP_ACK</tcp-flags>
</config>
</transport>
</acl-entry>
</acl-entries>
<config>
<name>full-ipv4</name>
<type>ACL_IPV4</type>
</config>
<name>full-ipv4</name>
<type>ACL_IPV4</type>
</acl-set>
<acl-set>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>DROP</forwarding-action>
</config>
</actions>
<config>
<sequence-id>12</sequence-id>
</config>
<ipv6>
<config>
<destination-address>0::0/0</destination-address>
<dscp>23</dscp>
<protocol>41</protocol>
<source-address>0::0/0</source-address>
</config>
</ipv6>
<sequence-id>12</sequence-id>
</acl-entry>
</acl-entries>
<config>
<name>full-ipv6</name>
<type>ACL_IPV6</type>
</config>
<name>full-ipv6</name>
<type>ACL_IPV6</type>
</acl-set>
<acl-set>
<acl-entries>
<acl-entry>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
<config>
<sequence-id>1</sequence-id>
</config>
<l2>
<config>
<destination-mac>01:02:03:04:05:07</destination-mac>
<destination-mac-mask>FF:FF:FF:FF:FF:FF</destination-mac-mask>
<ethertype>ETHERTYPE_ARP</ethertype>
<source-mac>01:02:03:04:05:06</source-mac>
<source-mac-mask>00:00:00:00:00:00</source-mac-mask>
</config>
</l2>
<sequence-id>1</sequence-id>
</acl-entry>
</acl-entries>
<config>
<name>full-mac</name>
<type>ACL_L2</type>
</config>
<name>full-mac</name>
<type>ACL_L2</type>
</acl-set>
</acl-sets>
</acl>
</data>
</rpc-reply>
CLI Output switch# show run aclmgr
ip access-list full-ipv4
123 permit tcp any eq 10 any eq ftp-data ack dscp 25 ttl 5
ipv6 access-list full-ipv6
12 deny ipv6 any any dscp 23
mac access-list full-mac
1 permit 0102.0304.0506 0000.0000.0000 0102.0304.0507 ffff.ffff.ffff 0x806
interface Ethernet1/31
ip access-group full-ipv4 in
ip access-group full-ipv4 out
interface Ethernet1/31.23
ipv6 traffic-filter full-ipv6 in
interface Ethernet1/32
mac port access-group full-mac
Note: To get the state data along with the config data, use <get>
method.
Configuring an IPv4 Access-Control List
Configuring an IPv4 Access-Control List
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>factIpv4</name>
<type>ACL_IPV4</type>
<config>
<name>factIpv4</name>
<type>ACL_IPV4</type>
</config>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Note: This example was added in Release 9.3(5).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
ip access-list factIpv4
Configuring IPv4 ACE
Configuring IPv4 ACE
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>factIpv4</name>
<type>ACL_IPV4</type>
<config>
<name>factIpv4</name>
<type>ACL_IPV4</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<ipv4>
<config>
<source-address>0.0.0.0/0</source-address>
<destination-address>0.0.0.0/0</destination-address>
<protocol>4</protocol>
</config>
</ipv4>
<actions>
<config>
<forwarding-action>ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Note: This example was added in Release 9.3(5).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
ip access-list factIpv4
1 permit ip any any
Applying IPv4 ACL to an Interface
Applying IPv4 ACL to an Interface
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1/1</id>
<config>
<id>eth1/1</id>
</config>
<interface-ref>
<config>
<interface>eth1/1</interface>
</config>
</interface-ref>
<ingress-acl-sets>
<ingress-acl-set>
<set-name>factIpv4</set-name>
<type>ACL_IPV4</type>
<config>
<set-name>factIpv4</set-name>
<type>ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
</config>
</edit-config>
</rpc>
Note: This example was added in Release 9.3(5).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
interface eth1/1
ip access-group factIpv4 in
Deleting an IPv4 ACL
Deleting an IPv4 ACL
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">
<name>factIpv4</name>
<type>ACL_IPV4</type>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Note: This example was added in Release 9.3(5).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
no ip access-list factIpv4
Configuring an IPv6 Access-Control List
Configuring an IPv6 Access-Control List
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>factIpv6</name>
<type>ACL_IPV6</type>
<config>
<name>factIpv6</name>
<type>ACL_IPV6</type>
</config>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Note: This example was added in Release 9.3(5).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
ipv6 access-list factIpv6
Configuring IPv6 ACE
Configuring IPv6 ACE
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>factIpv6</name>
<type>ACL_IPV6</type>
<config>
<name>factIpv6</name>
<type>ACL_IPV6</type>
</config>
<acl-entries>
<acl-entry>
<sequence-id>200</sequence-id>
<config>
<sequence-id>200</sequence-id>
</config>
<ipv6>
<config>
<source-address>10::10/64</source-address>
<destination-address>10::11/64</destination-address>
<protocol>IP_TCP</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action>DROP</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
</config>
</edit-config>
</rpc>
Note: This example was added in Release 9.3(5).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right.
ipv6 access-list factIpv6
200 deny tcp 10::10/64 10::11/64